Apache CVE-2026-32690

| EUVD-2026-23666 LOW
Exposure of Resource to Wrong Sphere (CWE-668)
2026-04-18 apache GHSA-w9r4-94fj-xp69
Apache Information Disclosure
3.7
CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 20, 2026 - 17:54 vuln.today
CVSS changed
Apr 20, 2026 - 17:52 NVD
3.7 (LOW)

DescriptionNVD

Secrets in Variables saved as JSON dictionaries were not properly redacted - in case thee variables were retrieved by the user the secrets stored as nested fields were not masked.

If you do not store variables with sensitive values in JSON form, you are not affected. Otherwise please upgrade to Apache Airflow 3.2.0 that has the fix implemented

AnalysisAI

Apache Airflow 3.0.0 through 3.1.x fails to redact secrets stored as nested fields within JSON-formatted variables, allowing authenticated users with variable access to retrieve plaintext sensitive values. This information disclosure vulnerability affects deployments that store credentials or API keys as JSON dictionary structures in Airflow variables. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-32690 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy